Security Considerations

[Dread Pirate Roberts]

As many of you are signing up, I would like to remind everyone that you should not reuse your password from either Silk Road marketplace or the forums. We have to now consider those avenues compromised and all information on their database may be available to the law enforcement officials. As a result, a new password is simply good practice. I would further highlight the importance of regular password changes and maintaining at least 8 characters in a password to resist any brute force attempts on your account. We have taken precautions against such attacks but your account will only ever be as secure as you are.

[Maestro]

Interesting edit. I wonder if it was intentional that you signed it like that before the edit or if it was an accident as a result of habit. Either way, I thought you were signing as DPR now, regardless of your identity.

[flwrchlds9]

Interesting.

Not possible to have the original staff key sign your key?

Also the "wide marketing push" sounds concerning.

Welcome and cheers however.

[boysen]

Edited the OP, good move. You probably shouldn't do that again.

[sevensix76]

Got the feeling I missed something important here;-)

[Maestro]

Edited the OP, good move. You probably shouldn't do that again.

Unless it was intentional, serving the purpose to make use believe it was an accident.

[Vy7wf]

Official fall guy?

[The President]

ahh smart thinking DPR. Password has been changed!

[gnbome]

Edited the OP, good move. You probably shouldn't do that again.

Unless it was intentional, serving the purpose to make use believe it was an accident.

What we used to call Information Warfare back in the day!

[CabinBoyNathanial]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It is basic good form to not re-use passwords on any sites, but damn especially on sites like this.

Unique, nonsense passwords everywhere. It is a pain in the ass, but that's what we need to do.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (MingW32)

iQIcBAEBAgAGBQJSVhqtAAoJEIcwU1loxKLo0akP/juoeFMKRSqtG/jpYJ5oHu/1
7z1Eb5ThbBtbIltSd8uuQb7Zi9SLciRrt9vHG5KhCOO2UUYgtQi0V8qXLVqkbU1h
EN03cqoPWc5F0u0T034ZCl0YPM+WGx+xvbNZMN1AjxpEuIrrL63ErLfyFjb2ySxS
vWbU6kXXT2PzMOsW/HRqttQoU1a+rCshB2QywqXS8WH8687VaFzARJfbbH9bDFYn
JBOoNBW9fqONTSHswRW7PCA1vErEDUrWsOKgtFYTPkWBc/AA/S89E0wUyhLqoUIv
q9kVUlVdzhwtkJv3DjQelYK0oaT3qvlSBf3QnVwEJHOPoixuOn1wnRa5x05Pq+p6
NErZXInsnObFXHjO1b6k8zhdKTmhfCWNbOzC5YBife/OIP/aQQWmDUdADl/UAb//
ZV17PbYBgdifh6iudlOKSpP+qRda9apUiUGyX5mW7Wq5ODc4OYpiM3s6l3JvXOj3
pdFhSVh7InG0I5QRF73YNh/saE6hRU0Onilg7YKs4puOaL2ozM+Hzl0WvC9IKPd5
X804MspxQAFXEeURZ1MXHE1TPhkXsYYTDE2NCCZDvUtZkJdKfViGejT72444Zx4A
C4DwU2qnTYo9ub8ZKDgCTnWsN8884djCHyOjl+avrFFx7aOlj/B2YnWpNBCO9W5K
hRLEJ+oMVUr5a/8QFQI7
=GrU1
-----END PGP SIGNATURE-----

[MisterSister]

Interesting edit. I wonder if it was intentional that you signed it like that before the edit or if it was an accident as a result of habit. Either way, I thought you were signing as DPR now, regardless of your identity.

Can you PM me what I missed?

[flwrchlds9]

It is no important.

And never use the same password anywhere. Ever.

[stem]

What above said. and change password every once in a while.

[BlueGiraffe]

As many of you are signing up, I would like to remind everyone that you should not reuse your password from either Silk Road marketplace or the forums. We have to now consider those avenues compromised and all information on their database may be available to the law enforcement officials. As a result, a new password is simply good practice. I would further highlight the importance of regular password changes and maintaining at least 8 characters in a password to resist any brute force attempts on your account. We have taken precautions against such attacks but your account will only ever be as secure as you are.

I would think well over 8 characters for a password, like a minimum of 15, would be more appropriate...

BG

[anontoker]

I re-use phrases but not unique characters.

I also have groups of 8 char/num/sym passwords in memory.

Eventually I am doing away with any and all written password sheets which I really, really despise.

[horse]

thank you based DPR

[CLKR]

As well as not reusing passwords (for anything, if you get nicked they'l get all your clearnet passwords to try etc) its also best not to have them saved in a notepad document on your pc etc (happens much moreo ften than you'd think), keep them memorized only! Or is you're forgetful write a hint by hand under a friends table or something, somewhere itd never be found accidentally or could be linked back to you.

[Milkdud]

Um i dont know what the hell he edited but if it was any identifying information LEO now have it. They probably crawl this forum and harvest any and every change. People need to stop protecting insecure practices, especially from the guy whose running the site.


And you DPR, if you care so much about peoples security in light of all the info LEO now have from the old site, why are you letting old vendors reuse their ID's even though LEO now have a list of every bitcoin addressed they used in their account? All it takes is one straight no-mix cashout to be located and flipped. Im started to have doubts about the competency of our leadership.

[Dread Pirate Roberts]

Um i dont know what the hell he edited but if it was any identifying information LEO now have it. They probably crawl this forum and harvest any and every change. People need to stop protecting insecure practices, especially from the guy whose running the site.


And you DPR, if you care so much about peoples security in light of all the info LEO now have from the old site, why are you letting old vendors reuse their ID's even though LEO now have a list of every bitcoin addressed they used in their account? All it takes is one straight no-mix cashout to be located and flipped. Im started to have doubts about the competency of our leadership.

Once vendors are verified, they have an option to completely get a new identity so that not even staff will know who they are - only I will. If a vendor wants to start fresh and pay the bond to avoid even me knowing they can also do that.

[Thirtyrox]

As many of you are signing up, I would like to remind everyone that you should not reuse your password from either Silk Road marketplace or the forums. We have to now consider those avenues compromised and all information on their database may be available to the law enforcement officials. As a result, a new password is simply good practice. I would further highlight the importance of regular password changes and maintaining at least 8 characters in a password to resist any brute force attempts on your account. We have taken precautions against such attacks but your account will only ever be as secure as you are.

I would think well over 8 characters for a password, like a minimum of 15, would be more appropriate...

BG

+1 to this! My passwords on super sensitive situations have always been 18+ characters, and a mixture of upper/lower case letters, numbers, and symbols. Call me paranoid, but when it comes to something that may have potential to incriminate me legally, I just don't see a reason to skimp on something so simple as a password.

[ColorBlack]

symbols?! damn TR, good op-sec! I gotta get me some symbols too. I was thinking something like 'frosty@frosty'...
yeah yeah.. too soon..

[Thirtyrox]

symbols?! damn TR, good op-sec! I gotta get me some symbols too. I was thinking something like 'frosty@frosty'...
yeah yeah.. too soon..

  PM sent btw!

Peace!

[olmate]

Does anyone else here know about password cards? Just google it. You print a unique credit-card sized bit of paper (with an identification code to look it up if you ever lose it). This has a grid of letters numbers (and, I believe, symbols, if you want). The idea is you memorise a simple rule (eg 4left4down4diagonal(up,right)). Now you NEVER share or record the rule - if it is simple, you should never need to record it.
Then, you can write the coordinate of the first character of your password. So what if someone finds it. They don't know the rule, they have no idea what the password could be.
You can use the same card for as many passwords as you want. Why not?
Oh, NB, take care to preserve the unique identifying code of your password card, so that if you lose it/put it through the washing machine/whatever, you don't lose ALL your passwords!
OH, and, I'm pretty sure there's an app for your phone, if you don't want to carry around a piece of paper.

[blue]

Always have a unique core password that you can remember for each login and encryption, at least 12 characters long with small, big, numbers and special characters.
It might be hard to remember at first but when you have typed it several times it will stick.

Then make the password bigger with easy to remember patterns on your keyboard like olmate says. Or just fill in another 15 characters like "KKKKKKKKKKKKKKK".
Your password is now already stronger and you will not forget it as easy as a more random password.
Once you get used to create and remember these passwords they will evolve and get better and better.

Your passwords is one of the most important things you have to protect yourself, your account, your encryption, your bitcoins and everything.
You are smart! You can create and remember a secure password!
Remember that and never allow yourself to sink to the low level of dumb lazy people.

[wishihada2jz]

Changing passwords often is just good OPSEC and everyone should start shifting towards taking any measures possible to increase security. Using a pass "phrase" instead of a pass "word" is always a good basic starting point. Song lyrics work nicely. Or movie quotes, so long as your username doesn't reference the film (hey, would just make the guessing pool smaller). This is just one small tiny thing we can all do. Don't need a degree in programming to make a complex passphrase

[MrPharmacist]

Remembering a really long password isn't hard. you could use the lyrics of a song you know off by heart for example then chuck your first ever phone numbers in there randomly or some shit. One of the Pirate Bay founders knew the first 100 decimal digits of PI by heart which are:  3.14159 26535 89793 23846 26433 83279 50288 41971 69399 37510 58209 74944 59230 78164 06286 20899 86280 34825 34211 70679

and I think he may have even used that as a password as he mentioned regularly typing it on his keyboard from memory in the PB documentary.

However he's also the one who didn't encrypt his computer hard drive if memory serves so....you need to dot your security i's and cross your T's no matter how good and unique your password...

There's a million crazy tricks to remember shit like that.

I bet loads of geeks use Pi as a password though so instead of PI you could simply use a long stack of randomly-chosen numbers with a few capital and small case letters thrown in. Here's a wiki how on remembering long lists of numbers from the CLEARNET: http://www.wikihow.com/Memorize-Pi

I can barely remember my old phone numbers Lief !!! ha ha x

[40005a]

I've found it's pretty easy to make many unique passwords with a length of 30+ characters, always with lots of symbols mixed in of course, of course. You just need to find a system that works for you and, practice, practice, practice.

[MrPharmacist]

I've found it's pretty easy to make many unique passwords with a length of 30+ characters, always with lots of symbols mixed in of course, of course. You just need to find a system that works for you and, practice, practice, practice.

I agree, working out a password system is the way forward.  I have them written down in 'reminder code'.  i.e. words which remind me of the password.  For example if my password was: "brown1977Taylor1998cunt1kAfrica",  my reminder code would be:

Login: MisterP
Password: firstcarYEARMaidenGRADrudeZX81Honey

When reading the reminder, I would know the following:

'first car' always refers to the colour = brown
'YEAR' is always the year after I was born = 1977
maiden is mums maiden name = Taylor
GRAD is always the year before I graduated from Uni = 1998
rude always = cunt
ZX81 was my first ever computer and always  = 1k (that's how much memory it had!)
Honey is where my honeymoon was, so always = Africa

So these reminders  / triggers would be enough to jog my memory on the order of the password components.... but only I would know what they mean.

After enough logins I tend to memorize the important p-words anyway,  but the reminders are just there in case of amnesia.....

Find a system that works for you, and one that is interchangeble so you can change it up from time to time....

[Nightcrawler]

I've found it's pretty easy to make many unique passwords with a length of 30+ characters, always with lots of symbols mixed in of course, of course. You just need to find a system that works for you and, practice, practice, practice.

I agree, working out a password system is the way forward.  I have them written down in 'reminder code'.  i.e. words which remind me of the password.  For example if my password was: "brown1977Taylor1998cunt1kAfrica",  my reminder code would be:

Login: MisterP
Password: firstcarYEARMaidenGRADrudeZX81Honey

When reading the reminder, I would know the following:

'first car' always refers to the colour = brown
'YEAR' is always the year after I was born = 1977
maiden is mums maiden name = Taylor
GRAD is always the year before I graduated from Uni = 1998
rude always = cunt
ZX81 was my first ever computer and always  = 1k (that's how much memory it had!)
Honey is where my honeymoon was, so always = Africa

So these reminders  / triggers would be enough to jog my memory on the order of the password components.... but only I would know what they mean.

After enough logins I tend to memorize the important p-words anyway,  but the reminders are just there in case of amnesia.....

Find a system that works for you, and one that is interchangeble so you can change it up from time to time....

The problem with this system is that it depends on information that you know, or that is discoverable about you.  If you should ever be raided, you can be certain that dictionary attacks will be mounted against your encrypted data based on your personal information. As evidence of this, I would refer you to Brian Krebs' excellent article in the Washington Post:

DNA Key to Decoding Human Factor
Secret Service's Distributed Computing Project Aimed at Decoding Encrypted Evidence
By Brian Krebs
washingtonpost.com Staff Writer
Monday, March 28, 2005; 6:48 AM

http://www.washingtonpost.com/wp-dyn/articles/A6098-2005Mar28.html (clearnet)

The way to defeat any such system is to choose passphrases that are random. I recommend Diceware: http://www.diceware.com/  (clearnet)

DIceware passphrases are chosen by means of a random physical process: dice rolls.  Words are chosen from the Diceware list, based on the results of a 5-dice roll.     

What Is Diceware?

Diceware™ is a method for picking passphrases that uses dice to select words at random from a special list called the Diceware Word List. Each word in the list is preceded by a five digit number. All the digits are between one and six, allowing you to use the outcomes of five dice rolls to select one unique word from the list.

Here is a short excerpt from the Diceware word list:

 16655 clause
 16656 claw
 16661 clay
 16662 clean
 16663 clear
 16664 cleat
 16665 cleft
 16666 clerk
 21111 cliche
 21112 click
 21113 cliff
 21114 climb
 21115 clime
 21116 cling
 21121 clink
 21122 clint
 21123 clio
 21124 clip
 21125 clive
 21126 cloak
 21131 clock

The complete list contains 7776 short English words, abbreviations and easy-to-remember character strings.

Because the words are chosen based on random dice rolls, it is impossible for an opponent to know which words have been chosen, and in what order. Therefore, even if an opponent knew for certain that you had used Diceware, and that the length of your passphrase was 10 words, they would still be required to brute-force your passphrase. A 10-word Diceware passphrase contains 129-bits of entropy, or about twice the entropy of the 128-bit ciphers used in PGP/GPG, i.e. AES128, IDEA and CAST5. (FWIW, CAST5 is used by PGP/GPG to protect your private key.)

Your passphrase is your absolute, last-ditch line of defense -- if you're going to use one, make it a good one, one that the authorities can neither guess nor brute-force.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

[MrPharmacist]

+1 to you Nightcrawler.  You've enlightened me with regards to Diceware  This looks like a far more robust method of password selection.

I guess my method is ample for a buyer of personal amounts of drugs though.   Have a great weekend.

cheers,

Mr P